Up and Over the Windows Firewall
(copied from an email sent to me. This may be on the web somewhere, but I just copied it here for reference purposes)
I installed Windows XP Service Pack 2 on my test system a few
weeks ago and started playing with it. A lot of what I call
"playing" entails remote administration and management. I wanted
to see what SP2—especially the much-hyped new Windows Firewall—
would do for (or to) remote management. Naturally, it pretty
much broke everything.
The first thing I noticed was the constant warnings that my XP
system wasn't running an antivirus package. For legal purposes,
Microsoft made XP SP2 complain incessantly until you installed
antivirus software, which you had to purchase from another
software company. I'm OK with that. We should all be running
antivirus software and I don't mind being reminded.
But the minute I tried to Remote Desktop into my newly service-
packed machine, I was stymied. Nothing connected. Windows
Firewall, it turns out, works spectacularly. You just can't touch
a remote XP box once that firewall is running. This is somewhat
irritating when I've got several clients making heavy use of
remote management scripts that are now, essentially, useless. I
know I can control the Windows Firewall through some Group Policy
settings, but my test XP box isn't a domain member, so I wanted to
look at alternatives.
I found the start of a solution on the blog of a Microsoft
Scripting Guy. Seems Windows Firewall is accessible to VBScript.
He provides the following four lines of code to set the firewall
to allow RPC connections, which is what Windows Management
Instrumentation WMI and many other remote management scripts need
to operate:
Set objFirewall = CreateObject("HNetCfg.FwMgr")
Set objPolicy = objFirewall.LocalPolicy.CurrentProfile
Set objAdminSettings = objPolicy.RemoteAdminSettings
objAdminSettings.Enabled = TRUE
Problem is, you have to first get the script onto the machine,
which is near impossible with Windows Firewall running. In a
domain, you might assign the script as a logon script or startup
script and it'd take care of business. You can do a better job
with Group Policy, allowing incoming RPC connections only from the
local subnet, for example, if that's where you'll be running
management scripts.
Obviously, you need to use a script like this with some caution.
Make sure you're not opening a hole bigger than you need—the
firewall exists to help protect client machines and if you
indiscriminately shut it off or punch it full of holes you're
defeating that protection.--Don Jones
]]>
8/25/2004 12:31:45 PM
approved
Steve
false
false